Computer systems of at least 18 Andhra Pradesh police units are among the hundreds in India compromised by the WannaCry ransomware attack, which began on May 12 and is estimated to have affected more than 200,000 computers across 150 countries so far.

Ransomware is a type of malicious software designed to block access to computer systems until a sum of money is paid. The malware is usually sent through email and blocks access by encrypting the targeted system’s data. The ransom is demanded to be paid in the virtual currency Bitcoin, which the Reserve Bank of India does not recognise as an authorised mode of exchange.

In India, ransomware attacks have become rampant since 2015, cyber security experts said, finding victims in a wide range of industries, from pharmaceuticals to hospitality and banking to information technology.

The latest global attack infected computers at private enterprises in Mumbai, Hyderabad, Bangalore and other cities. The Andhra Pradesh police was the first government agency to report being affected. Now, it has emerged that the Gujarat State Wide Area Network and customer care centres of the West Bengal Electricity Distribution Company Limited, a public sector undertaking, were affected as well.

For government agencies in India, though, WannaCry is not the first ransomware experience. At least two such attacks have been reported in the past one year.

State of vulnerability

In January 2017, three servers in the Delhi office of the Quality Council of India, an accreditation body set up jointly by the central government and the Indian industry associations, were attacked by Cerber ransomware. It took cyber security experts over 36 hours to unblock the system through decryption applications. No ransom had to be paid, said a cyber security expert who was involved in the operation.

According to Kislay Chaudhary, a cyber security consultant with the central government, using decryption applications to unblock ransomware-infected computers is easier said than done. There are thousands of decryption applications available on the internet and each has a specific purpose. So the operation is essentially a hit-and-miss. If all the available applications fail to decrypt the data, the only option left is to wait for the discovery of the malicious software’s kill switch to unblock the computer.

In May 2016, computer systems of Maharashtra’s revenue and public works departments were infected by Locky ransomware.

Ransomware blocks access to the infected computer by encrypting data and demands payment to unlock it. Image credit: Reuters

“It is not that government agencies are more vulnerable to these attacks,” said Chaudhary. “The most vulnerable are private or independent servers and customised mail boxes, which fail to spam emails with malware attachments, often because of lack of investment in making the systems safe enough, and inadequate research and development.”

Pavan Duggal, an advocate with expertise in cyber security law, however, contended that “what is visible on the surface is just the tip of the iceberg”.

“Most ransomware attacks are unreported and India is no exception to that,” he said. “Top information technology companies, banks and even government agencies in the country have witnessed such attacks in the past three years. But most attacks were local and isolated in nature. A mass attack like WannaCry is unprecedented.”

So, how can such attacks be tackled? Duggal said India must urgently enact a cyber security law and amend the Information Technology Act to make cyber attacks criminal offences and clearly chalk out the roles and responsibilities, accountability and liabilities of internet service providers and intermediary agencies in case of such offences.

Outside of the government, Cyber Peace Foundation, a Jharkhand-based cyber security non-profit, has invested in a project called Honey Net to combat cyber attacks. Under this project, the NGO has set up deliberately vulnerable computer networks in 10 states, including Jharkhand, Gujarat, Andhra Pradesh and Karnataka, to invite cyber attacks in order to analyse their nature. They recorded an unusual trend a day before the global cyber attack of May 12.

“The system which usually endures 147 cyber attack attempts per day on an average actually endured around 9,000 attacks on Thursday,” said the founder of the NGO Vineet Kumar. They have received requests to deal with 15 WannaCry infection. These clients include private enterprises, academic institutes and government agencies, Kumar said, but did not disclose their identities.

Lax security

In the wake of the WannaCry attack, the Indian government’s Computer Emergency Response Team issued a critical alert and an advisory while the Ministry of Information Technology reached out to key stakeholders such as the Reserve Bank of India, National Payments Corporation of India, National Informatics Centre and Unique Identification Authority of India, advising them to protect their systems against WannaCry and ensure protection of the digital payments ecosystem in the country, PTI reported. The Reserve Bank, in turn, directed banks to down their ATM networks until the machines received the Windows software update that protects against the ransomware.

“ATMs operations are usually outsourced to third parties and it is shocking that more than 70 percent of the ATM network in India operates on Windows XP,” said Chaudhary, referring to an older version of Microsoft’s operating system. “Microsoft has stopped issuing update patches for the XP, though the case of WannaCry is exceptional because they had released patches on receipt of prior input about a possible leak. But most users, including government agencies, often act reluctant in installing update files.”

Chaudhary also said Indian banks have witnessed several malware attacks in the past “but surprisingly many of them are yet to take adequate measures for protection”.